Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Default host to localhost when in development mode. #514

Merged
merged 5 commits into from

4 participants

Postmodern James Tucker Markus Prinz Bryan Helmkamp
Postmodern

Running Rack apps on 0.0.0.0 in development mode will allow malicious users on the local network (ex: a Coffee Shop or a Conference) to abuse or potentially exploit the app. Safer to default host to localhost when in development mode.

Also default the :Host option to localhost, when in development, in Rack::Handler::WEBrick, Rack::Handler::Mongrel, Rack::Handler::Thin.

postmodern added some commits
Postmodern postmodern Default host to localhost when in development mode.
* Running Rack apps on 0.0.0.0 in development mode will allow malicious
  users on the local network (ex: a Coffee Shop or a Conference) to abuse
  or potentially exploit the app. Safer to default host to localhost when in
  development mode.
28b0144
Postmodern postmodern Rack::Handler::WEBrick: default the host to localhost in development …
…mode.
5a9169d
Postmodern postmodern Rack::Handler::Mongrel: default the host to localhost in development …
…mode.
5d2edd8
Postmodern postmodern Rack::Handler::Thin: default the host to localhost in development mode. 8377df0
James Tucker
Owner

Using a hostname can cause issues on some systems where servers don't properly support ipv6. Should we prefer 127.0.0.1?

Postmodern

Using 127.0.0.1 would assume the system supports IPv4. Better to use localhost and let /etc/hosts map it to the correct address/interface.

Markus Prinz

Either way, right now the valid_options returns incorrect documentation for the default host value where applicable (it says localhost right now, at least for Thin and Mongrel). So if this pull request is rejected, that method should be updated to use the correct default host.

@raggi Would it avoid the issues you mentioned if we use Socket.ip_address_list to detect the IP for localhost?

Postmodern

Fixed valid_options. I noticed there is some repetition among the valid_options methods. Perhaps they could be extracted to a common Handler class/module?

Bryan Helmkamp

Wouldn't a better default be localhost in production too? For example, in the common configuration of Ruby behind Nginx on an EC2 server. 0.0.0.0 seems better as an opt-in behavior.

Postmodern

@brynary Good idea. I don't know how that might affect Phusion Passenger or Heroku (they default to using WEBrick). In the past, I would configure Thin to explicitly listen on localhost:9000.

Bryan Helmkamp
James Tucker raggi merged commit 15796c4 into from
James Tucker
Owner

Thanks

Peter Wilmott p8952 referenced this pull request from a commit in p8952/rack
Peter Wilmott p8952 Update to reflect changes in #514 076711a
Lucas Fais lucasfais referenced this pull request in azukiapp/azk
Closed

Improve generator for ruby apps using rack gem #218

Aaron Patterson tenderlove referenced this pull request from a commit
Peter Wilmott p8952 Update to reflect changes in #514 374b315
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 10, 2013
  1. Postmodern

    Default host to localhost when in development mode.

    postmodern authored
    * Running Rack apps on 0.0.0.0 in development mode will allow malicious
      users on the local network (ex: a Coffee Shop or a Conference) to abuse
      or potentially exploit the app. Safer to default host to localhost when in
      development mode.
  2. Postmodern
  3. Postmodern
  4. Postmodern
Commits on Feb 28, 2013
  1. Postmodern
This page is out of date. Refresh to see the latest.
5 lib/rack/handler/fastcgi.rb
View
@@ -30,8 +30,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
"File=PATH" => "Creates a Domain socket at PATH instead of a TCP socket. Ignores Host and Port if set.",
}
10 lib/rack/handler/mongrel.rb
View
@@ -7,8 +7,11 @@ module Rack
module Handler
class Mongrel < ::Mongrel::HttpHandler
def self.run(app, options={})
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
server = ::Mongrel::HttpServer.new(
- options[:Host] || '0.0.0.0',
+ options[:Host] || default_host,
options[:Port] || 8080,
options[:num_processors] || 950,
options[:throttle] || 0,
@@ -39,8 +42,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
"Processors=N" => "Number of concurrent processors to accept (default: 950)",
"Timeout=N" => "Time before a request is dropped for inactivity (default: 60)",
5 lib/rack/handler/scgi.rb
View
@@ -17,8 +17,11 @@ def self.run(app, options=nil)
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
10 lib/rack/handler/thin.rb
View
@@ -6,7 +6,10 @@ module Rack
module Handler
class Thin
def self.run(app, options={})
- host = options.delete(:Host) || '0.0.0.0'
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
+ host = options.delete(:Host) || default_host
port = options.delete(:Port) || 8080
args = [host, port, app, options]
# Thin versions below 0.8.0 do not support additional options
@@ -17,8 +20,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
10 lib/rack/handler/webrick.rb
View
@@ -6,7 +6,10 @@ module Rack
module Handler
class WEBrick < ::WEBrick::HTTPServlet::AbstractServlet
def self.run(app, options={})
- options[:BindAddress] = options.delete(:Host) if options[:Host]
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
+ options[:BindAddress] = options.delete(:Host) || default_host
options[:Port] ||= 8080
@server = ::WEBrick::HTTPServer.new(options)
@server.mount "/", Rack::Handler::WEBrick, app
@@ -15,8 +18,11 @@ def self.run(app, options={})
end
def self.valid_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- "Host=HOST" => "Hostname to listen on (default: localhost)",
+ "Host=HOST" => "Hostname to listen on (default: #{default_host})",
"Port=PORT" => "Port to listen on (default: 8080)",
}
end
7 lib/rack/server.rb
View
@@ -185,11 +185,14 @@ def options
end
def default_options
+ environment = ENV['RACK_ENV'] || 'development'
+ default_host = environment == 'development' ? 'localhost' : '0.0.0.0'
+
{
- :environment => ENV['RACK_ENV'] || "development",
+ :environment => environment,
:pid => nil,
:Port => 9292,
- :Host => "0.0.0.0",
+ :Host => default_host,
:AccessLog => [],
:config => "config.ru"
}
Something went wrong with that request. Please try again.